Single Sign-On & Strong Authentication
Download as PPTX, PDF1 like779 views
The document describes a double single sign-on (SSO) system for secure network establishment. It discusses the need for strong authentication and outlines the key components of the proposed system. The system separates user authorization from identification to enable asynchronous authorization. It employs Shamir's identity-based signature scheme, a zero-knowledge identification protocol, and Simmons' impersonation-proof identity verification scheme. The design establishes identity providers to generate and validate user credentials, allowing users to prove their identity to service providers. The system aims to reduce costs while improving security over existing SSO solutions.
Single Sign-On & Strong Authentication
- 1. Double SSO & Strong Authentication For Secure Network Establishment Project By:- Internal Guide:- External Guide:- Akshaya Kumar Y H M 1BM10CS004 Mrs Nagarathna N Dr Mohammad Misbahuddin Aruna S M 1BM10CS010 Associate Professor Senior Technical Officer, CNIE Sarthak Gupta 1BM10CS065 CSE,BMSCE CDAC, Bangalore 1
- 2. 1. INTRODUCTION 2. LITERATURE REVIEW 3. REQUIREMENTS 4. DESIGN & IMPLIMENTATION 5. SOCIETAL IMPACTS 6. CONCLUSION 7. REFERENCE 2
- 3. Requirements Hardware Requirements • Application uses Server as one of the major component, we need the Client machines to connect to the Server and Network setup. • Processor • RAM : Intel i3 or above or equivalent : 4GB or more Software Requirements • Web Server , Service Provider and Client machines with web support. • Proposed implementation language is C / C++, however we may occasionally work with certain scripting languages to configure and work with the Server. 3
- 4. INTRODUCTION SINGLE SIGN-ON SYSTEM (SSO) Property of access control that enables a user to perform a single authentication to a service, and then get access to other protected services without the need to re-authenticate. DOUBLE SSO Double SSO is a secure server-side caching-based SSO architecture and a proxy-based pseudo-SSO system. 4
- 5. ADVANTAGES • With SSO, users' and administrators' lives become much easier as they will • • • • have to deal with a single digital identity for each user. Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password. A user will have to provide this digital identity only once per day. This will increase user's productivity. The maintenance of authentication data and enforcement of authentication policies become much easier with SSO, since authentications data will be centralized. Reduces the chance that users will forget or lose their digital identities, therefore it reduces the risk of compromising a security system. 5
- 6. Double SSO Features • User Authorization is separated from Identification Process. • Asynchronous authorization is achieved. • Executes a minimum number of computations on the user side and requires parties to maintain the bare minimum number of keys. • Provably precludes the Replay Attack, the Man-in-the-Middle Attack and the Weakest Link Attack. Additionally, it is safe from repudiated parties. 6
- 7. Security Analysis • • • • • • The Weakest Link Attack Attacks on Security Parameters Attacks on Identity Proof The Replay Attack The Man-in-the-Middle Attack Repudiation of Parties 7
- 8. LITERATURE REVIEW SSO Categories • Web SSO : These solutions are for users who access applications using a web interface. • Enterprise SSO: These solutions are much broader than web SSO in that they provide SSO to almost all kinds of applications, not only to webenabled applications. • Network SSO : These solutions are for users who access applications in a corporate network domain either through a LAN, or wirelessly, or through a VPN connection. 8
- 9. Available SSO Solutions • • • • • Google SSO Solution Windows Live ID Microsoft Office SharePoint Server Active Directory Federation Service Liberty SSO Solution 9
- 10. Double SSO Components • Shamir's Identity-Based Signature Scheme • Zero-Knowledge Identification Protocol • Simmons' Impersonation-Proof Identity Verification Scheme 10
- 11. Shamir's Identity-Based Signature Scheme • The user uses her/his identity as a public key and asks a trusted Key Generation Center (KGC) to generate the corresponding private key. • • • • KGC generates RSA Public & Private Keys. KGC issues a Private key to the Sender. Sender signs on the message using the Private key issued by KGC. Receiver Verifies the message using Senders’ RSA Public key and Identity. 11
- 12. 12
- 13. Zero-Knowledge Identification Protocol • • • • P sends witness ( calculated using random number ) to V V challenges P with a time-variant challenge P uses the challenge and secret to compute the response that she sends to V V uses the response and her challenge to decide whether the response is correct • A zero-knowledge protocol must satisfy three properties: Completeness: Prover is Honest Soundness: False Prover are not entertained Zero-knowledge: No Interaction can be Repudiated 13
- 14. 14
- 15. Simmons' Impersonation-Proof Identity Verification Scheme • Simmons' scheme relies on an issuer's public authentication channel to validate a private authentication channel belonging to a user who wants to prove identity. • These two channels can be independent and based on two different authentication algorithms. • The scheme assumes a trusted issuer whose responsibility is to validate identification credentials of each user. 15
- 16. 16
- 18. Identity Provider Setup 1. Identity provider generates RSA public & private key (e,n) & (d,n) where n=p × q, p & q being two large prime numbers generated according to RSA algorithm 2. e & n are made public. 3. Identity Provider constructs a secret redundant data block seed. 18
- 19. 19
- 20. User Registering to Identity Provider 20
- 21. 21
- 22. User proving Identity to Identity Provider 22
- 23. 23
- 24. Identity Provider verifies user to Service Provider 24
- 25. 25
- 26. Societal Impact • Introduction of light weight and secure SSO will help in reducing cost of IT management. • Double SSO does not require time synchronization between involved parties, thus helping novices. • One Stage in Double SSO can be extracted and used independently as an Identification Protocol, thus reducing cost of additional identification algorithm. 26
- 27. Conclusion Lot of theories have been put in to explain and Implement SSO solution for different platform. It is always seldom confusing to choose which SSO solution is better. Double SSO considers all such aspect thus resolving the conflict. Many currently available SSO solutions involve high operational overhead as they contain Cryptographic value calculations. Double SSO enhances efficiency so that additional overhead is removed making it safe and suitable. 27
- 28. Work Plan 28
- 29. Resources & References 1. Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN. Chalmers University of Technology Department of Computer Science and Engineering , Göteborg, Sweden, November 2010 2. M. Linden and I. Vilpola. An Empirical Study on the Usability of Logout in a Single Sign-on System. Proceedings of the 1st International Conference on Information Security Practice and Experience, Singapore, 2005. 3. A. Shamir. Identity-Based Cryptosystem and Signature Scheme. Proceedings ofCRYPTO 84, Santa Barbara, California, USA, 1984. 4. U. Fiege, A. Fiat and A. Shamir. Zero knowledge proofs of identity. Proceedings of the nineteenth annual ACM symposium on Theory of computing, New York, USA, 1987. 5. G. J. Simmons. An Impersonation-Proof Identity Verification Scheme. Proceedings of CRYPTO 87, Santa Barbara, California, USA, 1987. 29